Use Your SSH Client To Help Prevent Stupid Mistakes

I have chosen the path of system administration for my career. It's been very rewarding, and I really love my job. However, there are times when I make stupid mistakes that cost others money. I'm sure we've all been there. It's stressful, embarrassing and can really shake you up, if you mistake is bad enough. Many times, this happens because you fat-fingered an IP address, hostname, or something else, and your SSH client takes you somewhere you shouldn't be. If that's the case, hopefully this post can help.

LocalCommand
Specifies a command to execute on the local machine after suc‐
cessfully connecting to the server. The command string extends
to the end of the line, and is executed with the user's shell.
The following escape character substitutions will be performed:
‘%d’ (local user's home directory), ‘%h’ (remote host name), ‘%l’
(local host name), ‘%n’ (host name as provided on the command
line), ‘%p’ (remote port), ‘%r’ (remote user name) or ‘%u’ (local
user name).
The command is run synchronously and does not have access to the
session of the ssh(1) that spawned it. It should not be used for
interactive commands.
This directive is ignored unless PermitLocalCommand has been
enabled.

As mentioned, the used of LocalCommand executes a local command after successfully connecting to the server. I figured this would be a great way to print something to the terminal, letting me know whether or not my client just connected to a production machine, a QA machine, or a development machine.

I wanted to use colors, to make it obvious. I don't want to make the same mistake twice, so I want it painfully clear what machine I just went to. As a result, if I go to a development or home machine, use green. If I enter a QA machine, use yellow. If I enter a production, or other serious machine I probably shouldn't be on, use red. As a result, I can take advantage of the ANSI escape sequences for color. In case you forgot, here are the colors and modes:

So, if I were about to SSH to a production machine, I probably want to make it as obvious as possible. Thus, I could print to the terminal, in blinking, bold, red text "PRODUCTION". I could use the following command:

print "\e[1;5;31PRODUCTIONm\e[0;m"

Notice that at the end of the sequence, I'm resetting the text attributes. This is because if you don't do this, you will keep the text attributes in your terminal, and that may have an affect on how the text is displayed when in your remote SSH connection.

Just tried it. Doesn't work. As the manual states, LocalCommand does not have access to the session that ssh(1) spawned. I think this may be as good as it gets. Of course, you could add newlines, and other things to make it blatantly obvious that you're in a production machine.

I think this approach is better because has the advantage that the prompt is always visible also after many screens of commands and that can be used for any user, regardless of their SSH client configuration.

Just configure it in one place (two to be precise, /etc/skel/.bashrc and /root/.bashrc, as well as the .bashrc of any existing user) and it's done.

I'm familiar with $PS1. Sure, you can change your prompt to give you more information. However, with prompts, they quickly become backgrounded noise, and you no longer notice the information. Something like this is yet another way to grab your attention, and let you know where you are.

That is a really cool idea. I've never thought of anything useful to do with LocalCommand. Thanks.

My method to achieve that same goal of identifying the remote end very clearly is to use figlet (http://www.figlet.org/) to display a big banner of the hostname, and perhaps a (normal text) description of the machine. Then add that to the /etc/motd

Actually PS1+color coding is good. Color coding is generally good because your eyes get used to it and it's immediately obvious that you see a different color. PS1 in /etc/profiles or .shellrc helps everyone who uses the machine to see the point, not just me.

I'm also using $PS1 + colors. I even use them on my local machine, green means normal user and red means root. Red immediately catches your attention, so you won't forget that you're using root permissions. Could also be used on production machines.

The main benefit of this vs. LocalCommand is that with the latter option the warning only appears once and can't be seen anymore after issueing a few commands, while the $PS1 approach is always seen.

It's not about colored PS1 versus non-colored PS1. My root ZSH prompt is red, and it doesn't matter how many times I login as root, I always know I'm root, because of the red prompt.

However, what your eyes get used to, and your mind starts blocking out, is information. Adding "production" or "root" text to your prompt starts getting ignored quickly. However, with using LocalCommand, you can create an alert that makes you immediately aware of where you are.

So, again, it's not about PS1 versus LocalCommand. It's about making the alert visible, and in your face, so you always know where you are.

I've used figlet to produce a large reminder of which machine I've logged into using the motd for some years, although that doesn't help much if you've left screen running! I'll have to take a closer look at this, although I do like the idea of the colour coded PS1 too. Time for a bit of playing I think